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BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates generally to the field of quantum cryptography, and more 
particularly to a method for exchanging a key with guaranteed security using systems 
io vulnerable to photon number splitting (PNS) attacks, i.e. a quantum cryptography 
protocol robust against PNS attacks. 

2. Discussion of Prior Art 

If two users possess shared random secret information (below the "key"), they can 
is achieve, with provable security, two of the goals of cryptography: 1) making their 
messages unintelligible to an eavesdropper and 2) distinguishing legitimate messages 
from forged or altered ones. A one-time pad cryptographic algorithm achieves the first 
goal, while Wegman-Carter authentication achieves the second one. Unfortunately both 
of these cryptographic schemes consume key material and render it unfit for use. Jt is 
20 thus necessary for the two parties wishing to protect the messages they exchange with 
either or both of these cryptographic techniques to devise a way to exchange fresh key 
material. The first possibility is for one party to generate the key and to inscribe it on a 
physical medium (disc, cd-rom, rom) before passing it to the second party. The problem 
with this approach is that the security of the key depends on the fact that it has been 
25 protected during its entire lifetime, from its generation to its use, until it is finally 
discarded. In addition, it is very unpractical and tedious. 

Because of these difficulties, in many applications one resorts instead to purely 
mathematical methods allowing two parties to agree on a shared secret over an 
30 insecure communication channel. Unfortunately, all such mathematical methods for key 
agreement rest upon unproven assumptions, such as the difficulty of factoring large 
integers. Their security is thus only conditional and questionable. Future mathematical 
developments may prove them totally insecure. 
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Quantum cryptography (QC) is the only method allowing the distribution of a secret key 
between two distant parties, the emitter and the receiver, [1] with a provable absolute 
security. Both parties encode the key on elementary quantum systems, such as 
photons, which they exchange over a quantum channel, such as an optical fiber. The 
5 security of this method comes from the well-known fact that the measurement of an 
unknown quantum state modifies the state itself: a spy eavesdropping on the quantum 
channel cannot get information on the key without introducing errors in the key 
exchanged between the emitter and the receiver. In equivalent terms, QC is secure 
because of the no-cloning theorem of quantum mechanics: a spy cannot duplicate the 
10 transmitted quantum system and forward a perfect copy to the receiver. 

Several QC protocols exist. These protocols describe how the bit values are encoded 
on quantum states and how the emitter and the receiver cooperate to produce a secret 
key. The most commonly used of these protocols, which was also the first one to be 
is invented, is known as the Bennett - Brassard 84 protocol (BB84) [2]. The emitter 
encodes each bit on a two-level quantum system either as an eigenstate of a x (|+x) 

coding for "0" and |-x) coding for M 1 n ) or as an eigenstate of a y (| + y) or |- y) , with the 

same convention). The quantum system is sent to the receiver, who measures either cj x 
or <j y . After the exchange of a large number of quantum systems, the emitter and the 

20 receiver perform a procedure called basis reconciliation. The emitter announces to the 
receiver, over a conventional and public communication channel the basis x or y 
(eigenstate of cr x or o y ) in which each quantum system was prepared. When the receiver 
has used the same basis as the emitter for his measurement, he knows that the bit 
value he has measured must be the one which was sent over by the emitter. He 

25 indicates publicly for which quantum systems this condition is fulfilled. Measurements 
for which the wrong basis was used are simply discarded. In the absence of a spy, the 
sequence of bits shared is error free. Although a spy who wants to get some information 
about the sequence of bits that is being exchanged can choose between several 
attacks, the laws of quantum physics guarantee that he will not be able to do so without 

30 introducing a noticeable perturbation in the key. 



Other protocols - like the Bennett 92 (B92) [3] - have been proposed. 
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In practice, the apparatuses are imperfect and also introduce some errors in the bit 
sequence. In order to still allow the production of a secret key, the basis reconciliation 
part of the protocol is complemented by other steps. This whole procedure is called key 
5 distillation. The emitter and the receiver check the perturbation level, also know as 
quantum bit error rate (QBER), on a sample of the bit sequence in order to assess the 
secrecy of the transmission. In principle, errors should be encountered only in the 
presence of an eavesdropper. In practice however, because of the imperfections of the 
apparatus, a non-zero error probability can also always be observed. Provided this 
10 probability is not too large, it does not prevent the distillation of a secure key. These 
errors can indeed be corrected, before the two parties apply a so called privacy 
amplification algorithm that will reduce the information quantity of the spy to an 
arbitrarily small level. 

15 In the last years, several demonstrations of QC systems have been implemented using 
photons as the information carriers and optical fibers as quantum channels. While the 
original proposal called for the use of single photons as elementary quantum systems to 
encode the key, their generation is difficult and good single-photon sources do not exist 
yet. Instead, most implementations have relied on the exchange between the emitter 

20 and the receiver of weak coherent states, such as weak laser pulses, as approximations 
to ideal elementary quantum systems. Each pulse is a priori in a coherent state \jue w ) 
of weak intensity (typically the average photon number per pulse n« 0.1 photons). 
However since the phase reference of the emitter is not available to the receiver or the 
spy, they see a mixed state, which can be re-written as a mixture of Fock states, 

25 S./ , »l n X l, l- where the number n of photons is distributed according to Poissonian 
statistics with mean \i and Pn = e""//" ln\. QC with weak pulses can be re-interpreted as 
follows: a fraction pi of the pulses sent by the emitter contain exactly one photon, a 
fraction p 2 two photons, and so on, while a fraction p 0 of the pulses are simply empty 
and do not contribute to the key transmission. Consequently, in QC apparatuses 

30 employing weak pulses, a rather important fraction of the non-empty pulses actually 
contain more than one photon. The spy is then not limited any longer by the no-cloning 
theorem. He can simply keep some of the photons while letting the others go to the 
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receiver. Such an attack is called photon-number splitting (PNS) attack. If we assume 
that the only constraints limiting the technological power of the spy are the laws of 
physics, the following attack is in principle possible: (1) for each pulse, the spy counts 
the number of photons, using a photon number quantum non-demolition measurement; 

5 (2) he blocks the single photon pulses, while keeping one photon of the multi-photon 
pulses in a quantum memory and forwarding the remaining photons to the receiver 
using a perfectly transparent quantum channel; (3) he waits until the emitter and the 
receiver publicly reveal the bases used, and correspondingly measures the photons 
stored in his quantum memory: he must discriminate between two orthogonal states, 

io and this can be done deterministically. In this way, he obtains full information on the 
key, which implies that no procedure allows to distillate a secret key for the legitimate 
users. In addition, the spy does not introduce any discrepancies in the bit sequences of 
the emitter and the receiver. The only constraint on PNS attacks is that the presence of 
the spy should remain undetected. In particular, he must ensure that the rate of photons 

15 received by the receiver is not modified. 

In the absence of the spy, the raw rate of photons that reach the receiver is given by: 
*r.^(*)=A^0-*' 10 [photons/pulse] (1) 

20 

where 8 = a L is the total attenuation in dB of the quantum channel of length L. Thus, 
the PNS attack can be performed on all passing pulses only when 8 > 8 C with 
RReceiver(Sc) = P2'. the losses that the receiver expects because of the fiber attenuation 
are equal to those introduced by the action of the spy storing and blocking photons. For 
25 shorter distances, the spy sends a fraction q of the pulses on her perfectly transparent 
channel without doing anything and performs the PNS attack on the remaining 1-q 
fraction of the pulses. The receiver measures a raw detection rate 

R R*cei,er\s py (?) = M + 0 " * )* [photons/pulse] (2) 

30 

where B = ^ n ^p n {n -l) . The parameter q is chosen so that RReceiverlspyCqJ^RReceiveKS). 
The information the spy gets on a bit sent by the emitter is 0 when he does nothing, and 
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1 when he perform the PNS attack, provided of course that the receiver has received at 
least one photon: 

I sM= I7T^ [bits/pulse] (3) 

5 

with S-^ M p am The critical length of the quantum channel is determined by the 

condition RReceiver(5c)= RReceiverlspy (q=0). For an average photon number fx =0.1, one 
finds 8 C = 13 [dB], which corresponds to a distance of the order of 50 km (a = 0.25 
[dB/km]) 

10 

Although the PNS attacks are far beyond today's technology, their consequences on the 
security of a QC system relying on weak coherent states is devastating, when they are 
included in the security analysis [4]. The extreme vulnerability of the BB84 protocol to 
PNS attacks is due to the fact that whenever the spy can keep one photon, he gets all 
15 the information, since he has to discriminate between two eigenstates of a known 
Hermitian operator, which is allowed by the laws of quantum physics. 

SUMMARY OF THE INVENTION 

The primary object of the invention is to allow to exchange a key featuring absolute 
20 security with a quantum cryptography apparatus using approximations, such as weak 
coherent states, to ideal elementary quantum systems. 

It covers a new class of protocols for QC in which the emitter encodes each bit onto a 
pair of non-orthogonal states belonging to at least two suitable sets, which allow to 
25 neutralize PNS attacks, and lead thus to a secure implementations of QC with weak 
coherent states over longer distances than present protocols. 

The apparatus of the emitter (see Fig. 1) consists of a source of quantum states and a 
preparation device. Both of these elements are controlled by a processing unit. A 
30 random number generator is connected to this processing unit, in order to allow random 
preparation of the quantum states. After preparation, these states are sent along a 
quantum channel to the receiver. The receiver consists of an analysis device followed 
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by a detection unit, both controlled by a processing unit. A random number generator 
allows the processing unit to randomly choose the analysis basis. The emitter and the 
receiver are connected by a conventional communication channel. 

5 The emitter encodes each bit in the state of an elementary quantum system, belonging 
to either of the two sets A = f 0 fl ),|l fl )}or B =|o 6 ) J |U)}« chosen such that 

|{Ojl fl )| = 77 fl * 0, 1(0^1^)1 = 77^^0, and that there does not exist a single quantum 

operation, whether probabilistic or not, reducing simultaneously the overlaps of the 
states within all the sets (see Fig. 2, left). 

10 

In order to obtain correlated results with those of the emitter, the receiver has to 
distinguish between two non orthogonal states. He can do so by implementing in his 
analysis device a generalized measurement that unambiguously discriminates between 
these two states at the expense of sometime getting an inconclusive result. Such a 
is measurement can be realized by a selective filtering, whose effect is not the same on all 
states, followed by a von Neumann measurement on the states that pass the filter. In 
the example of Fig. 2, this filter, discriminating between the elements of a, is given by 

F A = / 1 (j+^Xlg 1 + |— jcVoj" |), where W^) is the state orthogonal to \y/) . A fraction 1- 

r| of the states of set A passes this filter. For the states that do, the von Neumann 
20 measurement of a x allows their discrimination. The emitter randomly applies on each 
quantum system one of the two filters F A or F B , and measures a x on the outcome. 
Subsequently, the emitter discloses for each bit to which set A or B the associated 
quantum system belonged. The receiver then discards all the items in which he has 
chosen the wrong filter and informs the emitter. 

25 

One particular example of a protocol that belongs to this new class amounts to a simple 
modification of the key distillation procedure applied to bits produced by an apparatus 
normally used with the BB84 protocol. 

30 

The emitter sends randomly one of the four states \±x) or \±y). He applies the 
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convention that \±x) code for 0 and \±y) code for 1. For a given state, the receiver 

measures randomly a x or a y> which constitutes the most effective unambiguous way to 
discriminate between these states. After the exchange of a sufficiently large number of 
states, the emitter announces publicly one of the four pairs of non-orthogonal states 



5 Ao,^- = |6> x ),|tf/ v )|, with 0,o>'€ {+,-}- Within each set, the overlap of the two states is 




Let us assume for example that a | + jc) was sent by the emitter, and that he 

subsequently announced the set a +i+ . If the receiver has measured a x , which happens 
10 with 50% probability, he obtains with certainty the result +1. However, since this 
outcome is possible for both states in the disclosed set a +i +, it must be discarded. If the 
receiver has measured a y and obtained +1 , again he cannot decide which state was 
sent by the emitter. However if he has measured a y and obtained -1, then he knows that 
the emitter must have sent |+ x) and adds a 0 to his key. 



The other steps of key distillation (QBER estimate, error correction and privacy 
amplification) remain unchanged. 

Other objects and advantages of the present invention will become apparent from the 
20 following descriptions, taken in connection with the accompanying drawings, wherein, 
by way of illustration and example, an embodiment of the present invention is disclosed. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Embodiments of the invention will now be described, by way of example only, with 
25 reference to the accompanying drawings in which: 

Fig. 1 schematically illustrates one embodiment of the invention, and 
Fig. 2 shows an example of two sets of non-orthogonal states used in the new class of 
QC protocols, the four states lying in a plane of the Poincare sphere passing through its 
center. Effect of the filter F A . 





15 



30 
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DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

Detailed descriptions of the preferred embodiment are provided herein. It is to be 
understood, however, that the present invention may be embodied in various forms. 
5 Therefore, specific details disclosed herein are not to be interpreted as limiting, but 
rather as a basis for the claims and as a representative basis for teaching one skilled in 
the art to employ the present invention in virtually any appropriately detailed system, 
structure or manner. 

10 Referring to Fig. 1, one embodiment of the invention comprises an emitter 10 and a 
receiver 40 connected by a quantum channel 20 and a conventional channel 30. The 
emitter consists of a quantum state source 11 and a preparation device 12 controlled by 
a processing unit 13. A random number generator 14 is connected to the processing 
unit 13. The receiver 40 consists of an analysis device 41 and a detection unit 42 

15 controlled by a processing unit 43. A random number generator 44 is connected to the 
processing unit 43. 

The emitter generates a quantum state using his source 1 1 and encodes, using the 
preparation device 12, the value of each bit on this quantum state belonging to either of 
20 the two sets A ={O 0 ),|l o )} or b = jjo 6 ),|l 6 )}, chosen such that |(o a |l fl )| = 7, * 0, 

|(0jl 6 )| = 77 6 *0, and that there does not exist a single quantum operation, whether 

probabilistic or not, reducing simultaneously the overlaps of the states within all the sets 
(see Fig. 2, left). The states are then sent to the receiver on the quantum channel 20. 

25 The receiver uses his analysis device 41 to perform a generalized measurement that 
unambiguously discriminates between these two states at the expense of sometime 
getting an inconclusive result. Such a measurement is realized by a selective filtering, 
whose effect is not the same on all states, followed by a von Neumann measurement on 
the states that pass the filter. An example of such a filter, discriminating between the 

30 elements of A is given byF 4 = -^=i=(j+x)(l^| + |-x)(o^|), where |^ x ) is the state 
orthogonal to |^). A fraction 1-r| of the states of set a passes this filter. For the states 
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that do, the von Neumann measurement of a x allows their discrimination. The detection 
unit 42 records the outcome of the generalized measurement. The processing unit of 
the emitter 43 randomly applies on each qubit one of the two filters F A or F B , and 
measures a x on the outcome. Subsequently, the emitter discloses for each bit the set A 
5 or B. The receiver then discards all the items in which he has chosen the wrong filter 
and informs the emitter through messages on the conventional channel 30. 

The emitter and the receiver follow then the procedure of key distillation comprising the 
steps of QBER estimate, error correction and privacy amplification. 

This new class of protocols is straightforwardly generalized to the use of quantum 
systems comprising more than two levels. 

It can also be generalized to the cases where more than two sets of states are used. 

15 

While the invention has been described in connection with a preferred embodiment, it is 
not intended to limit the scope of the invention to the particular form set forth, but on the 
contrary, it is intended to cover such alternatives, modifications, and equivalents as may 
be included within the spirit and scope of the invention as defined by the appended 
20 claims. 
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